Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jennifer Moss MWW Disclaimer Buttons mww-disclaimer-buttons allows Stored XSS.This issue affects MWW Disclaimer Buttons: from n/a through <= 3.41.
Published: 2025-09-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by an improper neutralization of user input during web page generation, allowing malicious JavaScript to be stored and later executed in the browsers of any visitor who views the affected plugin content. The attacker can inject arbitrary scripts that run with the privileges of the visiting user.

Affected Systems

All WordPress sites that use the Jennifer Moss MWW Disclaimer Buttons plugin version 3.41 or earlier are affected. The plugin stores disclaimer text in the database and displays it on the front end, providing the means for the stored payload to be served to site visitors.

Risk and Exploitability

The CVSS base score of 5.9 places this flaw in the medium severity range. The EPSS score of less than 1% indicates a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by submitting malicious content through the plugin’s text input interface, which is then stored and rendered to visitors, resulting in Cross‑Site Scripting execution.

Generated by OpenCVE AI on May 1, 2026 at 06:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MWW Disclaimer Buttons plugin to a version newer than 3.41 if an official fix is released.
  • If an upgrade is not yet available, sanitize the disclaimer text input to remove potential scripting markup before storing it.
  • If both upgrading and sanitizing are not feasible, disable the plugin or remove it from the site to eliminate the attack surface.
  • After remediation, scan the WordPress database for any residual XSS payloads and verify the issue has been fully resolved.

Generated by OpenCVE AI on May 1, 2026 at 06:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31251 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jennifer Moss MWW Disclaimer Buttons allows Stored XSS. This issue affects MWW Disclaimer Buttons: from n/a through 3.41.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jennifer Moss MWW Disclaimer Buttons allows Stored XSS. This issue affects MWW Disclaimer Buttons: from n/a through 3.41. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jennifer Moss MWW Disclaimer Buttons mww-disclaimer-buttons allows Stored XSS.This issue affects MWW Disclaimer Buttons: from n/a through <= 3.41.
Title WordPress MWW Disclaimer Buttons Plugin <= 3.41 - Cross Site Scripting (XSS) Vulnerability WordPress MWW Disclaimer Buttons plugin <= 3.41 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 30 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jennifer Moss MWW Disclaimer Buttons allows Stored XSS. This issue affects MWW Disclaimer Buttons: from n/a through 3.41.
Title WordPress MWW Disclaimer Buttons Plugin <= 3.41 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:55.818Z

Reserved: 2025-09-25T15:28:03.106Z

Link: CVE-2025-60154

cve-icon Vulnrichment

Updated: 2025-09-26T14:28:36.018Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:44.157

Modified: 2026-06-17T09:49:27.560

Link: CVE-2025-60154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:30:10Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')